Security leaders say these programs will not only foster a conducive ecosystem for start-ups, accelerating their growth, but also make it easier to conduct business and encourage developing innovative products in India. Experts also argue whether Modi's plan will boost security start-ups and generate demand for their own products, which protect India's critical infrastructure.

Value to Indian Security Start-ups

Experts believe India's witnessing a mushrooming of security start-ups with big innovation plans to help India protect its critical infrastructure against growing cyber-threats.

In his plan, which is expected to be incorporated in the forthcoming budget, Modi announced a three-year exemption from inspections; an online portal and mobile app; 80 percent cut in the patent application fee; a single-point hub for handholding; exemption from capital gains tax on personal property sold to invest in start-ups; dedicated funds of Rs 10,000 crore to promote start-ups; mobile app for start-up registration in one day; 35 public-private incubators and 31 innovation centers at national institutes.

"India must understand that cybersecurity can bring tremendous economic growth and be an important asset in building the national security capacity," says Delhi-based Tarun Wig, co-founder Innefu Labs, a research oriented security group.

Godse adds, "The R&D, capital gains and repository tax exemptions will provide impetus as companies can then focus on developing quality products."

Hiccups for Security Start-ups

But there are fundamental challenges, critics say. Unless bottlenecks are removed, it will be difficult for organizations to scale up or innovate.

"The biggest challenge is systematic and organized corruption in the IT space," says Wig. "Public sector units choose foreign products without giving home grown products a chance to compete - a major setback."

He continues: "Recently, a PSU - HPCL - did a limited tender for a multifactor authentication product, inviting only four foreign vendors. Following a protest, instead of correcting their mistake they asked how we'd known about the tender. This, though Indian vendors have a competitively priced better quality product."

Critics argue this approach exists in the system integrator industry also - big four consultants such as PwC, E&Y and others ensure the specifications are custom-tailored for products they have an interest in. Foreign vendors have an extremely strong lobby to create entry barriers for Indian security start-ups, despite enough demand for cybersecurity products.

Mumbai-based Sanjay Deshpande, CEO, chief innovation officer of Uniken, a security product company, says globally, the cybersecurity ecosystem is developed by the national defence structures and organizations. "Unless the Indian Defence takes an active role in funding and developing the ecosystem, the sector will remain weak," he says.

DSCI's Godse sees four major challenges for security companies:

Building a market for themselves, as there are no success stories despite great efforts and products;

So far, the government's not been an enabler for generating demand and encouraging action at the ground level;

Innovations at the R&D at academic institutions don't translate into skill development or product innovation;

Hidayatullah says the customer mind-set should change towards Indian products or technology as most often we find Indian start-ups do get acquired for technology by the big vendors, which means the technology developed by the Indian companies are state of art and proven.
"Hence, enterprise customer should actually prefer something developed domestically. Many venture-backed start-ups use the brand of their VC to prove credibility to prospects which is sad," he says.

What do Security Start-ups Need?

The DSCI report says Indian security consumption is $1.6 billion; of this, Indian companies serve about $200 million. The rest is serviced by non-Indian firms.

While tax exemptions are fine, security start-ups, says Hidayatullah, would benefit if the government rationalises its procurement process to allow companies to compete, as well as help with their credibility (vetting of technology by IITs, adoption by the armed forces, etc.).

'The government could consider policies where Indian companies must give weightage to an indigenous cybersecurity product / run one innovation initiative every year," he says. "Tax breaks are great; increasing market opportunities domestically is far better."

Wig suggests India should emulate the U.S. model.

"U.S. has established In-Q-Tel, a CIA-funded venture capital fund which identifies the latest technology which could be used by CIA's future intelligence gathering mechanisms. They identify and fund technologies to create a ready marketable product - used not only for CIA, but also sold to the entire world." But India's not offered any such initiative.

Deshpande recommends more tax exemptions on profits - exemptions on input costs such as employee salaries: "Customers buying from start-ups should be given tax incentives - they will then take more risks, passing on these benefits to start-ups through better price points."

Godse expects the government to roll out policies conducive to security companies and generate product demand.

"Relax entry barriers for Indian firms in the empanelment criteria for manufacturing products," says Godse.

"Aggressively involve government-owned research institutions and academia to collaborate and drive innovative products," he argues.

About the Author

Nandikotkur is an award-winning journalist with over 20 years' experience in newspapers, audio-visual media, magazines and research. She has an understanding of technology and business journalism, and has moderated several roundtables and conferences, in addition to leading mentoring programs for the IT community. Prior to joining ISMG, Nandikotkur worked for 9.9 Media as a Group Editor for CIO & Leader, IT Next and CSO Forum.

Operation Success!

Risk Management Framework: Learn from NIST

From heightened risks to increased regulations, senior leaders at all levels are pressured to
improve their organizations' risk management capabilities. But no one is showing them how -
until now.

Learn the fundamentals of developing a risk management program from the man who wrote the book
on the topic: Ron Ross, computer scientist for the National Institute of Standards and
Technology. In an exclusive presentation, Ross, lead author of NIST Special Publication 800-37
- the bible of risk assessment and management - will share his unique insights on how to:

Understand the current cyber threats to all public and private sector organizations;

Develop a multi-tiered risk management approach built upon governance, processes and
information systems;